b'     Department of Homeland Security\n\n     2I\xc3\x80FH\x03RI\x03,QVSHFWRU\x03*HQHUDO\n\n\n Information Technology Management Letter for the\n Transportation Security Administration Component\n  of the FY 2013 Department of Homeland Security\n              Financial Statement Audit\n\n\n\n\nOIG-14-97                                 May 2014\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n\xc2\xa0\n                                     May\xc2\xa028,\xc2\xa02014\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\xc2\xa0\xc2\xa0            Stephen\xc2\xa0Rice\xc2\xa0\n                             Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0      \xc2\xa0      \xc2\xa0       \xc2\xa0      Transportation\xc2\xa0Security\xc2\xa0Administration\xc2\xa0\n\xc2\xa0\n                             David\xc2\xa0Nicholson\xc2\xa0\xc2\xa0\n                             Chief\xc2\xa0Financial\xc2\xa0Officer\xc2\xa0\n\xc2\xa0     \xc2\xa0       \xc2\xa0       \xc2\xa0      Transportation\xc2\xa0Security\xc2\xa0Administration\xc2\xa0\n\xc2\xa0\nFROM:\xc2\xa0                       Richard\xc2\xa0Harsche\xc2\xa0\n                             Acting\xc2\xa0Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\xc2\xa0\nSUBJECT:\xc2\xa0                    Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0for\xc2\xa0the\xc2\xa0\n                             Transportation\xc2\xa0Security\xc2\xa0Administration\xc2\xa0Component\xc2\xa0of\xc2\xa0the\xc2\xa0\n                             FY\xc2\xa02013\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0\n                             Statement\xc2\xa0Audit\xc2\xa0\n\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0information\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0\nLetter\xc2\xa0for\xc2\xa0the\xc2\xa0Transportation\xc2\xa0Security\xc2\xa0Administration\xc2\xa0of\xc2\xa0the\xc2\xa0FY\xc2\xa02013\xc2\xa0Department\xc2\xa0of\xc2\xa0\nHomeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit.\xc2\xa0This\xc2\xa0report\xc2\xa0contains\xc2\xa0comments\xc2\xa0and\xc2\xa0\nrecommendations\xc2\xa0related\xc2\xa0to\xc2\xa0information\xc2\xa0technology\xc2\xa0internal\xc2\xa0control\xc2\xa0deficiencies\xc2\xa0that\xc2\xa0\nwere\xc2\xa0not\xc2\xa0required\xc2\xa0to\xc2\xa0be\xc2\xa0reported\xc2\xa0in\xc2\xa0the\xc2\xa0Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report.\xc2\xa0\xc2\xa0\n\xc2\xa0\nWe\xc2\xa0contracted\xc2\xa0with\xc2\xa0the\xc2\xa0independent\xc2\xa0public\xc2\xa0accounting\xc2\xa0firm\xc2\xa0KPMG\xc2\xa0LLP\xc2\xa0(KPMG)\xc2\xa0to\xc2\xa0\nconduct\xc2\xa0the\xc2\xa0audit\xc2\xa0of\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0fiscal\xc2\xa0year\xc2\xa02013\xc2\xa0consolidated\xc2\xa0\nfinancial\xc2\xa0statements.\xc2\xa0The\xc2\xa0contract\xc2\xa0required\xc2\xa0that\xc2\xa0KPMG\xc2\xa0perform\xc2\xa0its\xc2\xa0audit\xc2\xa0according\xc2\xa0to\xc2\xa0\ngenerally\xc2\xa0accepted\xc2\xa0government\xc2\xa0auditing\xc2\xa0standards\xc2\xa0and\xc2\xa0guidance\xc2\xa0from\xc2\xa0the\xc2\xa0Office\xc2\xa0of\xc2\xa0\nManagement\xc2\xa0and\xc2\xa0Budget\xc2\xa0and\xc2\xa0the\xc2\xa0Government\xc2\xa0Accountability\xc2\xa0Office.\xc2\xa0KPMG\xc2\xa0is\xc2\xa0\nresponsible\xc2\xa0for\xc2\xa0the\xc2\xa0attached\xc2\xa0management\xc2\xa0letter\xc2\xa0dated\xc2\xa0March\xc2\xa011,\xc2\xa02014,\xc2\xa0and\xc2\xa0the\xc2\xa0\nconclusion\xc2\xa0expressed\xc2\xa0in\xc2\xa0it.\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Sharon\xc2\xa0Huiswoud,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Systems\xc2\xa0Audit\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905451.\xc2\xa0\n\xc2\xa0\nAttachment\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 11, 2014\n\n\nOffice of Inspector General,\nU.S. Department of Homeland Security, and\n\nChief Information Officer and Chief Financial Officer,\n\nU.S. Department of Homeland Security Transportation Security Administration\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d), and have issued our report thereon dated December 11, 2013. In planning and\nperforming our audit of the financial statements of DHS, in accordance with auditing standards\ngenerally accepted in the United States of America and Government Auditing Standards, we\nconsidered internal control over financial reporting (internal control) as a basis for designing our\nauditing procedures for the purpose of expressing our opinion on the financial statements. In\nconjunction with our audit of the financial statements, we also performed an audit of internal control\nover financial reporting in accordance with attestation standards issued by the American Institute of\nCertified Public Accountants.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 11, 2013, included internal control deficiencies identified during our audit that, in aggregate,\nrepresented a material weakness in information technology (IT) controls and financial system\nfunctionality at the DHS Department-wide level. This letter represents the separate limited distribution\nreport mentioned in that report, of matters related to the Transportation Security Administration (TSA).\n\nDuring our audit we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management and communicated through Notices of\nFindings and Recommendations (NFRs), are intended to improve internal control or result in other\noperating efficiencies and are summarized as described below.\n\nWith respect to TSA\xe2\x80\x99s financial systems\xe2\x80\x99 IT controls, we noted certain matters in the areas of security\nmanagement, access controls, and contingency planning. These matters are described in the General IT\nControl Findings and Recommendations section of this letter.\n\nThe Table of Contents identifies each section of the letter. We have provided a description of key TSA\nfinancial systems and IT infrastructure within the scope of the FY 2013 DHS financial statement audit\nin Appendix A, and a listing of each IT NFR communicated to management during our audit in\nAppendix B.\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cDuring our audit we noted certain matters involving financial reporting internal controls (comments\nnot related to IT) and other operational matters, including certain deficiencies in internal control that\nwe consider to be significant deficiencies and material weaknesses, and communicated them in writing\nto management and those charged with governance in our Independent Auditors\xe2\x80\x99 Report and in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the financial statements\nand on the effectiveness of internal control over financial reporting, and therefore may not bring to\nlight all deficiencies in policies or procedures that may exist. We aim, however, to use our knowledge\nof DHS\xe2\x80\x99 organization gained during our work to make comments and suggestions that we hope will be\nuseful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any\nother purpose.\n\nVery truly yours,\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n\n                                 Transportation Security Administration\n\n                                          September 30, 2013\n\n\n                                      TABLE OF CONTENTS\n\n                                                                                       Page\nObjective, Scope, and Approach                                                          2\n\nSummary of Findings                                                                     4\n\nGeneral IT Control Findings and Recommendations                                         5\n\n   Findings                                                                             5\n\n       Security Management                                                              5\n\n       Access Controls                                                                  5\n\n       Contingency Planning                                                             6\n\n   Recommendations                                                                      6\n\n       Security Management                                                              6\n\n       Access Controls                                                                  6\n\n       Contingency Planning                                                             7\n\nIT Application Controls                                                                 7\n\n\n                                           APPENDICES\n\nAppendix                                       Subject                                 Page\n           Description of Key TSA Financial Systems and IT Infrastructure within the     8\n   A\n           Scope of the FY 2013 DHS Financial Statement Audit\n\n   B       FY 2013 IT Notices of Findings and Recommendations at TSA                    10\n\n\n\n\n\n                                                  1\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n\n                                  Transportation Security Administration\n\n                                           September 30, 2013\n\n\n                              OBJECTIVE, SCOPE, AND APPROACH\n\n\nObjective\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d). In connection with our audit of the FY 2013 financial statements, we performed an\nevaluation of selected general information technology (IT) controls (GITCs) and IT application controls\nat the Transportation Security Administration (TSA) to assist in planning and performing our audit\nengagement.\n\nScope\n\nThe scope of our GITC and IT application control test work is described in Appendix A, which provides a\ndescription of the key TSA financial systems and IT infrastructure within the scope of the TSA\ncomponent of the FY 2013 DHS consolidated financial statement audit.\n\nApproach\n\nGeneral Information Technology Controls\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government\nAccountability Office, formed the basis of our GITC evaluation procedures.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control categories to be essential to the effective\noperation of GITCs and the IT environment:\n\nx   Security Management \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n    managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n    of computer-related security controls.\n\nx   Access Control \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n    equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\nx   Configuration Management \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n    system resources (software programs and hardware configurations) and provide reasonable assurance\n    that systems are configured and operating securely and as intended.\n\n    x   We performed technical information security testing for key TSA network and system devices.\n        The technical security testing was performed from within select DHS facilities and focused on\n        production devices that directly support DHS\xe2\x80\x99 and TSA\xe2\x80\x99s financial processing and key general\n        support systems.\n\n                                                    2\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n\n                                  Transportation Security Administration\n\n                                           September 30, 2013\n\n\nx   Segregation of Duties \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational structure\n    to manage who can control key aspects of computer-related operations.\n\nx   Contingency Planning \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n    interruption, or with prompt resumption, when unexpected events occur.\n\nIT Application Controls\n\nWe performed testing over selected key IT application controls on financial systems and applications to\nassess the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n                                                     3\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n\n                                  Transportation Security Administration\n\n                                           September 30, 2013\n\n\n                                      SUMMARY OF FINDINGS\n\nDuring FY 2012, TSA took corrective action to address certain prior year IT control deficiencies. For\nexample, TSA made improvements over configuration management controls relative to the scripting\nprocess. However, during FY 2013, we continued to identify GITC deficiencies related to controls over\nsecurity management (including deficiencies over physical security and security awareness), access\ncontrol, and contingency planning for TSA core financial and feeder systems.\n\nCollectively, the IT control deficiencies limited TSA\xe2\x80\x98s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these deficiencies negatively impacted the internal controls over TSA financial reporting and its\noperations. In addition, based upon the results of our test work, we noted that TSA contributes to the\nDepartment\xe2\x80\x99s non-compliance with the relevant federal financial management systems requirements of\nthe Federal Financial Management Improvement Act of 1996.\n\nOf the seven IT Notices of Findings and Recommendations (NFRs) issued during our FY 2013 testing, all\nwere repeat findings, either partially or in whole from the prior year. The seven IT NFRs issued represent\ndeficiencies in three of the five FISCAM GITC categories.\n\nThe majority of findings resulted from the lack of properly documented, fully designed and implemented,\nadequately detailed, and consistently implemented financial system controls to comply with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and\nNational Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem from:\n\n    1. Inadequately designed and ineffective access control policies and procedures relating to the\n       management of logical access to financial applications, databases, and support systems;\n    2. Insufficient logging of system events and monitoring of audit logs; and\n    3. Inconsistently implemented backup management controls.\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and TSA financial data could be exploited, thereby compromising the integrity of TSA financial\ndata used by management and reported in TSA\xe2\x80\x99s and DHS\xe2\x80\x99 financial statements.\n\nWhile the recommendations made by us should be considered by TSA, it is the ultimate responsibility of\nTSA management to determine the most appropriate method(s) for addressing the deficiencies identified.\n\n\n\n\n                                                     4\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n\n                                  Transportation Security Administration\n\n                                           September 30, 2013\n\n\n               GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\n\nFindings\n\nDuring our audit of the FY 2013 DHS financial statements, we identified the following TSA GITC\ndeficiencies.\n\nSecurity Management\n\nAfter-Hours Physical Security Testing\n\nOn September 4, 2013, we performed after-hours physical security testing to identify risks related to non-\ntechnical aspects of IT security. These non-technical IT security aspects included physical access to\nprinted or electronic media, equipment, or credentials residing within a TSA employee\xe2\x80\x99s or contractor\xe2\x80\x99s\nwork area or shared workspaces which could be used by others to gain unauthorized access to systems\nhousing financial or other sensitive information. The testing was performed at a TSA facility in Arlington,\nVirginia (VA) that processes, maintains, and/or has access to financial data.\n\nWe observed 17 instances where passwords, sensitive IT information (such as server names or IP\naddresses), keys, unsecured or unlocked external media, and printed materials containing sensitive\nPersonally Identifiable Information were accessible by individuals without a \xe2\x80\x9cneed to know\xe2\x80\x9d.\n\nSocial Engineering\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\nenabling computer system access. The term typically applies to trickery or deception for the purpose of\ninformation gathering, or gaining computer system access.\n\nOn July 11, 2013, we performed social engineering testing from a DHS facility to identify risks related to\nTSA personnel awareness of responsibilities for protecting sensitive IT information, including personal\nsystem access credentials, from disclosure to unauthorized personnel. We noted two instances where\nindividuals divulged their TSA network account password to KPMG auditors.\n\nAccess Controls\n\nx   DHS requirements for password complexity were not fully implemented for accounts on the\n    Electronic Time Attendance and Scheduling application (eTAS).\n\nx   Audit logs for components of the eTAS environment (including the operating system and database)\n    and supporting system software were not consistently reviewed by management, and audit logs for the\n    eTAS application do not include activity related to changes to user accounts and associated profiles,\n    in accordance with DHS and TSA policy.\n\nx   eTAS account management activities, including enforcement of training requirements,\n    implementation of account inactivity controls, authorization of new or modified application access,\n\n                                                    5\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n\n                                 Transportation Security Administration\n\n                                          September 30, 2013\n\n\n   and periodic recertification of access, were not consistently or timely documented or implemented in\n   accordance with DHS and TSA policy.\n\nContingency Planning\n\nx\t Restoration testing of backup media over eTAS to ensure integrity and reliability of data was not\n   performed.\n\nRecommendations\n\nWe recommend that the TSA Office of the Chief Information Officer (OCIO) and Office of the Chief\nFinancial Officer (OCFO), in coordination with the DHS OCIO and the DHS OCFO, make the following\nimprovements to TSA\xe2\x80\x98s financial management systems and associated IT security program.\n\nSecurity Management\n\nx\t Develop and deliver training and awareness materials to TSA staff and supervisors to address IT\n   security policies and procedures related to properly securing sensitive DHS and TSA data within\n   physical workspaces, initiate periodic after-hours reviews of TSA workspaces, and implement\n   appropriate TSA policies and guidance in addressing identified security violations.\n\nx\t Continue existing implementation of TSA\xe2\x80\x99s IT Security Awareness Training Program, including\n   performing periodic internal social engineering testing, delivering individualized training and\n   implementing administrative actions, as appropriate, and communicating reminders concerning social\n   engineering risks and awareness.\n\nAccess Controls\n\nx\t Implement technical controls to ensure that passwords for eTAS accounts are configured in\n   accordance with DHS. If necessary and justified by operational and business requirements, ensure\n   that documented requests for exceptions from DHS password requirements identify all affected\n   accounts subject to deviations from standard control requirements and follow established processes\n   for DHS exceptions.\n\nx\t Implement technical and monitoring controls to ensure that eTAS operating system and database audit\n   logs include all required auditable events, are being reviewed by management on a periodic basis, are\n   documented, and audit log review evidence is maintained in accordance with DHS and TSA\n   requirements.\n\nx\t Implement technical controls to enforce DHS and TSA requirements related to implementation of\n   account inactivity controls.\n\nx\t Implement monitoring controls over the account management process to ensure that all users are\n   granted access to eTAS, including timely completion of required training and documentation of\n\n\n\n                                                   6\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n\n                                 Transportation Security Administration\n\n                                          September 30, 2013\n\n\n    access authorizations, and that all accounts are recertified no less than annually, in accordance with\n    DHS and TSA requirements.\n\nContingency Planning\n\nx   Perform and document annual testing to ensure the integrity and reliability of eTAS backup media in\n    accordance with DHS and TSA requirements and NIST minimum baseline control guidance.\n\n\n                                   IT APPLICATION CONTROLS\n\nWe conducted testing over certain Core Accounting System (CAS), Financial Procurement Desktop\n(FPD), and Sunflower application controls supporting in-scope processes during the TSA component of\nthe FY 2013 DHS financial statement audit and did not identify any control deficiencies.\n\n\n\n\n                                                    7\n\n\x0c                      Department of Homeland Security\n                 Information Technology Management Letter\n\n                    Transportation Security Administration\n\n                             September 30, 2013\n\n\n\n\n                            Appendix A\n\nDescription of Key TSA Financial Systems and IT Infrastructure\n\nwithin the Scope of the FY 2013 DHS Financial Statement Audit\n\n\n\n\n\n                                     8\n\n\x0c                                                                                            Appendix A\n\n                                   Department of Homeland Security\n                              Information Technology Management Letter\n                                 Transportation Security Administration\n                                          September 30, 2013\n\n\nBelow is a description of significant TSA financial management systems and supporting IT infrastructure\nincluded in the scope of the TSA component of the DHS FY 2013 financial statement audit.\n\nCore Accounting System (CAS)\n\nCAS is the core accounting system that records financial transactions and generates financial statements\nfor TSA. CAS is hosted at the U.S. Coast Guard Financial Center (FINCEN) in VA. CAS interfaces with\nother systems located at the FINCEN, including FPD and Sunflower. CAS is used by financial\nmanagement individuals as CAS is the main system of record for financial information. CAS is\ncomprised of a Hewlett-Packard (HP) UNIX operating system and an Oracle database.\n\nFinancial Procurement Desktop (FPD)\n\nThe FPD application is used to create and post obligations to the core accounting system. It allows users\nto enter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD interfaces with the CAS\nsystem and is hosted at the FINCEN in VA. FPD is comprised of an HP UNIX operating system and an\nOracle database.\n\nSunflower\n\nSunflower is a customized third-party commercial off-the-shelf product used for TSA and Federal Air\nMarshal Service property management. Sunflower interacts directly with the Office of Finance Fixed\nAssets module in CAS and interfaces with the FPD system. Sunflower is hosted at the FINCEN in VA.\nSunflower is comprised of a Red Hat Linux operating system and an Oracle database.\n\nElectronic Time Attendance and Scheduling (eTAS)\n\neTAS is an automated and standardized labor management solution. The system provides an automated\nmeans to schedule employee work and leave hours, record hours worked and not worked, and provide bi-\nweekly time records to TSA\xe2\x80\x99s payroll provider, the National Finance Center. The system automates the\nworkforce management process to reduce the amount of time, effort, and associated cost required for\nentry of data. eTAS is comprised of a Windows 2003 operating system and an Oracle database, and is\nlocated at the DHS Enterprise Data Center in VA. The Office of Human Capital is responsible for eTAS.\n\n\n\n\n                                                   9\n\n\x0c                    Department of Homeland Security\n               Information Technology Management Letter\n\n                  Transportation Security Administration\n\n                           September 30, 2013\n\n\n\n\n                           Appendix B\n\nFY 2013 IT Notices of Findings and Recommendations at TSA\n\n\n\n\n\n                                  10\n\n\x0c                                                                                                                                                 Appendix B\n\n                                                            Department of Homeland Security\n                                                       Information Technology Management Letter\n\n                                                          Transportation Security Administration\n\n                                                                   September 30, 2013\n\n\n    FY 2013 NFR #                                         NFR Title                                            FISCAM Control Area          New       Repeat\n                                                                                                                                            Issue      Issue\n    TSA-IT-13-01     Weakness in eTAS user recertification                                                         Access Controls                       X\n    TSA-IT-13-02     Weakness in eTAS password complexity                                                          Access Controls                       X\n    TSA-IT-13-03     Weakness in eTAS Restoration Testing of Backups                                            Contingency Planning                     X\n    TSA-IT-13-04     Weakness in eTAS review of audit logs                                                         Access Controls                       X\n    TSA-IT-13-05     eTAS System User Access                                                                       Access Controls                       X\n    TSA-IT-13-06     Security Awareness Issues Identified During Social Engineering Testing at TSA              Security Management                     X1\n                     Headquarters\n    TSA-IT-13-07     Physical Security and Security Awareness Issues Identified During After Hours              Security Management                     X1\n                     Testing at TSA Headquarters\n\n\n\n\n1\n FY 2012 NFR TSA-IT-12-01 was split into two findings for FY 2013 to report separately on the results of each set of enhanced information security testing\nprocedures performed at TSA.\n\n                                                                             11\n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n   \x03\n   Appendix\x03A\x03\x03\n   Report\x03Distribution\x03\n                          \x03\n   Department\x03of\x03Homeland\x03Security\x03\x03\x03\x03\x03\x03\n   \x03\n   Secretary\x03\n   Deputy\x03Secretary\x03\n   Chief\x03of\x03Staff\x03\n   Deputy\x03Chief\x03of\x03Staff\x03\n   General\x03Counsel\x03\n   Executive\x03Secretary\x03\x03\n   Director,\x03GAO/OIG\x03Liaison\x03Office\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Policy\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Public\x03Affairs\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Legislative\x03Affairs\x03\n   Under\x03Secretary\x03for\x03Management\x03\n   Chief\x03Financial\x03Officer\x03\n   Chief\x03Information\x03Officer\x03\n   Chief\x03Information\x03Security\x03Officer\x03\n   Chief\x03Privacy\x03Officer\x03\n   \x03\n   Office\x03of\x03Management\x03and\x03Budget\x03\x03\x03\x03\n   \x03\n   Chief,\x03Homeland\x03Security\x03Branch\x03\x03\x03\n   DHS\x03OIG\x03Budget\x03Examiner\x03\n   \x03\n   Congress\x03\x03\x03\x03\n   \x03\n   Congressional\x03Oversight\x03and\x03Appropriations\x03Committees,\x03as\x03appropriate\x03\n\n\n\n\nwww.oig.dhs.gov                                                             OIG-14-97\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'